Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
0
Helpful
6
Replies

SSL Site-to-Site between ISR 886VA and ASA 5510

Go to solution
Exonix
Level 1
Level 1

‎06-28-2018 02:44 AM - edited ‎03-12-2019 05:24 AM

Hi, we have two Cisco routers in our branches: ISR 886VA and ASA 5510.
Is it possible to create the Site-To-Site SSL VPN between them?

ASA1# sh ver

Cisco Adaptive Security Appliance Software Version 9.1(7)15
Device Manager Version 7.8(2)151

Compiled on Tue 07-Mar-17 11:12 by builders
System image file is "disk0:/asa917-15-k8.bin"
Config file at boot was "startup-config"

FRA-ASA1 up 103 days 17 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNlite-MC-SSLm-PLUS-2.08
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
                             Number of accelerators: 1

 0: Ext: Ethernet0/0         : address is 8843.e10c.2c50, irq 9
 1: Ext: Ethernet0/1         : address is 8843.e10c.2c51, irq 9
 2: Ext: Ethernet0/2         : address is 8843.e10c.2c52, irq 9
 3: Ext: Ethernet0/3         : address is 8843.e10c.2c53, irq 9
 4: Ext: Management0/0       : address is 8843.e10c.2c54, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX1414L1E8
Running Permanent Activation Key: 0x863bd67b 0x14da2850 0x0132c460 0xda545c4c 0x8c31cab5
Configuration register is 0x1
Configuration last modified by enable_15 at 10:42:14.018 GMT Thu Apr 12 2018
ISR1#sh ver
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 04-Aug-15 05:50 by prod_rel_team

ROM: System Bootstrap, Version 15.4(1r)T1, RELEASE SOFTWARE (fc1)

xxxxxxxxxx.dyndns.org uptime is 2 days, 3 hours, 7 minutes
System returned to ROM by power-on
System restarted at 07:31:26 CET Tue Jun 26 2018
System image file is "flash:c800-universalk9-mz.SPA.153-3.M6.bin"
Last reload type: Normal Reload
Last reload reason: power-on

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco C886VA-K9 (revision 1.0) with 488524K/35763K bytes of memory.
Processor board ID FCZ2044B08C
1 DSL controller
1 Ethernet interface
4 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 32 bits wide
255K bytes of non-volatile configuration memory.
254976K bytes of ATA System CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        C886VA-K9             FCZ2044B08C

License Information for 'c800'
    License Level: advipservices   Type: Default. No valid license found.
    Next reboot license Level: advipservices

Configuration register is 0x2102

The Cisco ISR 886 has a dynamic IP, but it uses DynDNS service.

If it is possible how can configure it?

 

Thank you in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-28-2018 02:47 AM

Hi, No you cannot use SSL for a Site-to-Site VPN. You can only use SSL for a Remote Access VPN on Cisco hardware.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎06-28-2018 02:47 AM

Hi, No you cannot use SSL for a Site-to-Site VPN. You can only use SSL for a Remote Access VPN on Cisco hardware.
0 Helpful

Go to solution
Exonix
Level 1
Level 1
In response to Rob Ingram

‎06-28-2018 02:55 AM

Ok, then which kind of VPN can I use?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Exonix

‎06-28-2018 03:00 AM - edited ‎06-28-2018 03:05 AM

As the ASA is running old firmware you can only setup a crypto map IPSec VPN.

If you were running ASA firmware 9.7+ (I don't think your 5510 supports that) you could also implement a VTI (virtual tunnel interface) running IKEv2.

HTH

0 Helpful

Go to solution
Exonix
Level 1
Level 1
In response to Rob Ingram

‎06-28-2018 03:00 AM

I found this article. Does it suit for ISR 800?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Exonix

‎06-28-2018 03:05 AM

This example is using a crypto map between the router and the ASA. If your ISR 886 router is running 15.2(4) or later then yes.

It appears IKEv2 is supported on your older ASA firmware, however as stated previously a VTI is not. Use the example configuration you provided.
0 Helpful

Go to solution
Exonix
Level 1
Level 1
In response to Rob Ingram

‎06-28-2018 03:07 AM

The ISR has

Version 15.4(1r)T1

 so, i will try.

 

Thank you!

0 Helpful
Customers Also Viewed These Support Documents